搭建ETCD集群
etcd 只在 sh0-21 sh0-30 sh0-31 搭建
使用运维主机sh0-50
给etcd签发证书
cd /opt/certs/
vim ca-config.json
输入以下内容
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
vim etcd-peer-csr.json
输入以下内容
把可能部署的所有IP记录写上
{
"CN": "k8s-etcd",
"hosts": [
"192.168.0.20",
"192.168.0.21",
"192.168.0.30",
"192.168.0.31"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "shenzhen",
"L": "shenzhen",
"O": "gy",
"OU": "ops"
}
]
}
签证书
输入命令
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json | cfssl-json -bare etcd-peer
会生成以下文件
-rw-r--r--. 1 root root 1066 Feb 23 09:27 etcd-peer.csr
-rw-r--r--. 1 root root 377 Feb 23 09:23 etcd-peer-csr.json
-rw-------. 1 root root 1675 Feb 23 09:27 etcd-peer-key.pem
-rw-r--r--. 1 root root 1432 Feb 23 09:27 etcd-peer.pem
安装ETCD
在 021 030 031 安装
新增etcd用户
useradd -s /sbin/nologin -M etcd
下载etcd
创建目录 mkdir -p /opt/src/ && cd /opt
wget https://dl.serctl.com/downloads4/2020-12-08-11-15-38-download-etcd-v3.4.14-linux-amd64.tar.gz
自己下载, 这个是一个镜像, gihub官方太慢了, 未来可能都不能用
解压文件,创建软链接ETCD
[root@sh0-21 opt]# ll
total 0
drwx--x--x. 4 root root 28 Feb 21 11:35 containerd
lrwxrwxrwx. 1 root root 13 Feb 23 11:09 etcd -> etcd-v3.4.14/
drwxr-xr-x. 3 630384594 600260513 123 Nov 25 15:27 etcd-v3.4.14
drwxr-xr-x. 2 root root 33 Feb 23 11:09 src
复制证书
创建目录
mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server
进入运维主机sh0-50
发放证书给其他主机
for i in 21 30 31;do scp ca.pem etcd-peer.pem etcd-peer-key.pem sh0-${i}:/opt/etcd/certs/ ;done
创建etcd运行脚本
vim /opt/etcd/etcd-server-startup.sh
输入以下内容
IP 要按实际填写, 注意集群其他机器的IP
#!/bin/sh
# listen-peer-urls etcd节点之间通信端口
# listen-client-urls 客户端与etcd通信端口
# quota-backend-bytes 配额大小
# 需要修改的参数:name,listen-peer-urls,listen-client-urls,initial-advertise-peer-urls
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/etcd/etcd --name etcd-server-0-21 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://192.168.0.21:2380 \
--listen-client-urls https://192.168.0.21:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://192.168.0.21:2380 \
--advertise-client-urls https://192.168.0.21:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-0-21=https://192.168.0.21:2380,etcd-server-0-30=https://192.168.0.30:2380,etcd-server-0-31=https://192.168.0.31:2380 \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-outputs stdout \
--logger=zap
修改文件权限
chmod u+x /opt/etcd/etcd-server-startup.sh
chown -R etcd.etcd /opt/etcd/ /data/etcd /data/logs/etcd-server
安装supervisor
yum install -y supervisor
systemctl start supervisord ; systemctl enable supervisord
vim /etc/supervisord.d/etcd-server.ini
输入以下内容
[program:etcd-server-0-21]
command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/etcd ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=etcd ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=5 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
更新supervisor
supervisorctl update
查看Supervisor执行的状态
supervisorctl status
查看日志
tail -fn 200 /data/logs/etcd-server/
查看etcd集群
etcdctl --write-out=table --endpoints=localhost:2379 member list